PT-2025-29119 · Apache+11 · Apache Http Server+11

Jörg Schwenk

+7

·

Published

2025-04-22

·

Updated

2026-05-28

·

CVE-2025-49812

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions: Apache HTTP Server versions through 2.4.63
Description: In certain mod ssl configurations, a man-in-the-middle attacker can hijack an HTTP session through a TLS upgrade attack. This issue affects configurations utilizing “SSLEngine optional” to enable TLS upgrades. The attack is related to HTTP desynchronization.
Recommendations: Upgrade to version 2.4.64, which removes support for TLS upgrade.

Fix

DoS

Improper Authentication

Weakness Enumeration

CWE-287

Related Identifiers

ALSA-2025:15023
ALSA-2025:15095
ALSA-2025:15123
ALT-PU-2025-9373
ALT-PU-2025-9540
ALT-PU-2025-9924
AZL-65097
AZL-65112
BDU:2025-08696
BIT-APACHE-2025-49812
CESA-2025_15123
CVE-2025-49812
DLA-4270-1
INFSA-2025_15023
INFSA-2025_15123
MGASA-2025-0301
OESA-2025-2168
OESA-2025-2169
OESA-2025-2170
OESA-2025-2171
OESA-2025-2172
OESA-2025-2278
OPENSUSE-SU-2025:15360-1
OPENSUSE-SU-2025:15369-1
OPENSUSE-SU-2026:20810-1
RHSA-2025:13680
RHSA-2025:14998
RHSA-2025:15036
RHSA-2025_15023
RHSA-2025_15123
SUSE-SU-2025:02565-1
SUSE-SU-2025:02682-1
SUSE-SU-2025:02683-1
SUSE-SU-2025:02684-1
SUSE-SU-2025:02685-1
SUSE-SU-2025_02565-1
SUSE-SU-2025_02682-1
SUSE-SU-2025_02683-1
SUSE-SU-2025_02684-1
SUSE-SU-2025_02685-1
SUSE-SU-2026:21846-1
USN-7639-1
USN-7639-2
USN-8338-1

Affected Products

Alt Linux
Almalinux
Apache Http Server
Astra Linux
Centos
Debian
Linuxmint
Red Hat
Red Os
Rocky Linux
Suse
Ubuntu